Date: Wed, 2 Nov 2022 17:29:39 GMT From: Dmitri Goutnik <dmgk@FreeBSD.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org Subject: git: 2c5d44267619 - main - security/vuxml: Document Go vulnerability Message-ID: <202211021729.2A2HTdrb094619@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by dmgk: URL: https://cgit.FreeBSD.org/ports/commit/?id=2c5d44267619f68a41e8adb3477b719ac332ed69 commit 2c5d44267619f68a41e8adb3477b719ac332ed69 Author: Dmitri Goutnik <dmgk@FreeBSD.org> AuthorDate: 2022-11-01 21:03:36 +0000 Commit: Dmitri Goutnik <dmgk@FreeBSD.org> CommitDate: 2022-11-02 17:29:02 +0000 security/vuxml: Document Go vulnerability --- security/vuxml/vuln-2022.xml | 37 +++++++++++++++++++++++++++++++++++++ 1 file changed, 37 insertions(+) diff --git a/security/vuxml/vuln-2022.xml b/security/vuxml/vuln-2022.xml index ade308d2ed3d..97273b1d0da7 100644 --- a/security/vuxml/vuln-2022.xml +++ b/security/vuxml/vuln-2022.xml @@ -1,3 +1,40 @@ + <vuln vid="26b1100a-5a27-11ed-abfe-29ac76ec31b5"> + <topic>go -- syscall, os/exec: unsanitized NUL in environment variables</topic> + <affects> + <package> + <name>go118</name> + <range><lt>1.18.8</lt></range> + </package> + <package> + <name>go119</name> + <range><lt>1.19.3</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>The Go project reports:</p> + <blockquote cite="https://go.dev/issue/56284">; + <p>syscall, os/exec: unsanitized NUL in environment + variables</p> + <p>On Windows, syscall.StartProcess and os/exec.Cmd did not + properly check for invalid environment variable values. A + malicious environment variable value could exploit this + behavior to set a value for a different environment + variable. For example, the environment variable string + "A=B\x00C=D" set the variables "A=B" and "C=D".</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2022-41716</cvename> + <url>https://groups.google.com/g/golang-dev/c/83nKqv2W1Dk/m/gEJdD5vjDwAJ</url>; + </references> + <dates> + <discovery>2022-10-17</discovery> + <entry>2022-11-01</entry> + </dates> + </vuln> + <vuln vid="0844671c-5a09-11ed-856e-d4c9ef517024"> <topic>OpenSSL -- Buffer overflows in Email verification</topic> <affects>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202211021729.2A2HTdrb094619>